Full Report
Forescout Technologies has analyzed data from a public malware repository, revealing a persistent presence of malware targeting operational... The post New Forescout research details persistent malware threats to OT/ICS engineering workstations appeared first on Industrial Cyber.
Analysis Summary
# Tool/Technique: Ramnit Worm
## Overview
Ramnit is a file infector malware that was identified infecting legitimate files on Mitsubishi engineering workstations during Forescout's analysis of malware targeting Operational Technology (OT) environments, especially engineering workstations.
## Technical Details
- Type: Malware family
- Platform: Windows (inferred from context of standard engineering workstations)
- Capabilities: File infection, spreading via infected executables.
- First Seen: Not specified, long history as a general-purpose malware, but observed targeting OT assets recently.
## MITRE ATT&CK Mapping
*Note: Since Ramnit is a general-purpose worm observed achieving initial access/persistence on specific OT assets, generic mappings apply.*
- TA0001 - Initial Access
- T1192 - Drive-by Compromise (If spread via removable media or shared files)
- TA0002 - Execution
- T1059 - Command and Scripting Interpreter
- TA0003 - Persistence
- T1547 - Boot or Logon Autostart Execution
## Functionality
### Core Capabilities
- Infecting legitimate executable files found on compromised engineering workstations.
- Involved in incidents targeting Mitsubishi engineering workstations.
### Advanced Features
The context does not detail advanced features of Ramnit specifically, only its observation on targeted systems.
## Indicators of Compromise
- File Hashes: [Not provided in the text]
- File Names: [Not provided in the text, manifests as infection of existing clean files]
- Registry Keys: [Not provided in the text]
- Network Indicators: [Not provided in the text]
- Behavioral Indicators: Infection of executable files related to engineering software environments (e.g., Mitsubishi systems).
## Associated Threat Actors
- Not explicitly named in association with the observed OT incidents, but Ramnit has been historically associated with various cybercriminal groups.
## Detection Methods
- General-purpose malware detection tools flagged the infected files.
- Detection based on observing known Ramnit signatures within engineering executables.
## Mitigation Strategies
- Ensuring endpoint protection software (antivirus/EDR) on engineering workstations is enabled and up to date.
- Isolating engineering workstations via network segmentation.
## Related Tools/Techniques
- FrostyGoop/BUSTLEBERM (Another OT-specific malware mentioned in the context)
- Aisuru, Kaiten, Gafgyt (Botnet families analyzed concurrently)
***
# Tool/Technique: Chaya\_003
## Overview
Chaya\_003 is a name given by Forescout researchers to three new malware samples specifically designed to disrupt Siemens engineering processes.
## Technical Details
- Type: Malware family (New Samples)
- Platform: Siemens Engineering Workstations (Inferred)
- Capabilities: Designed to disrupt Siemens engineering processes.
- First Seen: Implied recently, as they were newly examined samples.
## MITRE ATT&CK Mapping
*Note: Mappings are inferred based on the stated goal of disruption.*
- TA0004 - Privilege Escalation
- T1068 - Exploitation for Privilege Escalation
- TA0007 - Discovery
- T1082 - System Information Discovery (To understand the engineering environment)
- TA0008 - Lateral Movement
- TA0010 - Impact
- T1486 - Data Encrypted for Impact (If disruption involves data loss/corruption)
## Functionality
### Core Capabilities
- Direct targeting and disruption of Siemens engineering processes.
### Advanced Features
- Designed to interact with engineering software components specific to the Siemens ecosystem.
## Indicators of Compromise
- File Hashes: [Not provided in the text]
- File Names: Malware samples designated as Chaya\_003 during analysis.
- Registry Keys: [Not provided in the text]
- Network Indicators: [Not provided in the text]
- Behavioral Indicators: Malicious activity observed specifically targeting Siemens TIA Portal related processes or files.
## Associated Threat Actors
- Not specified in the text.
## Detection Methods
- Custom YARA rules detecting embedded strings, API calls, or icons associated with Siemens engineering software, which identified three confirmed malicious executables.
## Mitigation Strategies
- Hardening engineering workstations used for Siemens software.
- Ensuring software integrity and using application whitelisting where possible.
## Related Tools/Techniques
- Phoenix Contact PC Worx related artifacts (as these were also included in YARA rule testing).
***
# Tool/Technique: YARA Rule for OT Artifacts (Forescout Custom)
## Overview
A custom YARA rule developed by Forescout Research – Vedere Labs to proactively identify potentially malicious executables uploaded to VirusTotal that show signs of tampering with or impersonating legitimate OT engineering software binaries.
## Technical Details
- Type: Detection Tool/Method (YARA Rule)
- Platform: Analysis Environment (Used against files uploaded to VirusTotal)
- Capabilities: Signature-based detection targeting binary artifacts in memory or on disk.
- First Seen: Developed between August and November of the reporting year.
## MITRE ATT&CK Mapping
- TA0005 - Defense Evasion
- T1027 - Obfuscated Files or Information (Implicitly, by checking for legitimate resource usage)
- TA0011 - Command and Control (If the identified malware communicates outbound)
## Functionality
### Core Capabilities
- Scanning executables for specific signatures related to proprietary OT artifacts.
- Checking for embedding of engineering software names as strings.
- Detecting hooking or exporting of functions typically found in engineering software DLLs.
- Identifying executables using authentic-looking icon resources to impersonate legitimate software.
### Advanced Features
- Signatures incorporated indicators for Siemens TIA Portal, CODESYS v2, Mitsubishi GX Works, Rockwell Automation RSLogix500, and Phoenix Contact PC Worx.
## Indicators of Compromise
- Not an IOC generator; it is an IOC detection method.
## Associated Threat Actors
- Used to detect artifacts generated by threat actors aiming for OT systems (Ramnit, Chaya\_003 actors, etc.).
## Detection Methods
- **Signature-based detection**: Utilizing the custom YARA rule applied over 90 days.
## Mitigation Strategies
- Deploying monitoring solutions capable of running advanced detection rules (like YARA) across IT and OT systems.
## Related Tools/Techniques
- General-purpose malware detection tools (which initially flagged engineering executables).
***
# Tool/Technique: Botnet Families (Aisuru, Kaiten, Gafgyt)
## Overview
Aisuru, Kaiten, and Gafgyt are automated botnet families analyzed by Forescout that were present in the VirusTotal repository alongside FrostyGoop/BUSTLEBERM, often leveraging default credentials for initial infection of internet-accessible devices acting as initial entry points to OT networks.
## Technical Details
- Type: Malware families (Botnets)
- Platform: Internet-accessible devices (Initial infection vector)
- Capabilities: Automated infection, use of default credentials, potential for wiping sensitive data directories.
- First Seen: Ongoing, observed concurrently with recent OT threats.
## MITRE ATT&CK Mapping
- TA0001 - Initial Access
- T1133 - External Remote Services (Leveraging default credentials)
- TA0003 - Persistence
- T1550 - Use Alternate Authentication Material (Default Credentials)
- TA0010 - Exfiltration (Implied, typical of botnets)
## Functionality
### Core Capabilities
- Infiltrating networks via internet-accessible devices.
- Exploiting default credentials on OT/IoT devices for access.
- Carrying instructions to wipe sensitive data directories.
### Advanced Features
- Automated scaling and widespread infection typical of botnets.
## Indicators of Compromise
- **Behavioral Indicators**: Initial infection attempts on OT devices using default credentials.
## Associated Threat Actors
- General cybercriminal entities leveraging established botnets for initial access.
## Detection Methods
- Monitoring for initial connection attempts using default credentials on OT devices.
## Mitigation Strategies
- Changing all default credentials on OT devices.
- Restricting direct internet exposure of OT and control system devices.
## Related Tools/Techniques
- Any exploit targeting IoT/OT devices with weak authentication.